<cf tags are not removed by the editor, neither are ASP (<%) or (<asp:) tags removed

Description

I see that in the config file you can set protected sources like php and asp. I run my site on a CF server and need to limit the users from putting <cf tags in the editor. Perhaps a good fix would be to allow you to specify (using regex) tags you don't want. Basically the reverse of protected sources.

During my testing I noticed that though in the config it has commented out sections for the asp and asp.net tags, it also allowed them into the page.

Though for database stored pages, this wouldn't be a huge bug (at least on a CF server since CF wouldn't evaluate it) I am currently using this to store pages directly to files and need to have it strip out all CF code.

On a side note, it does seem to be working for php and stripping out that ('<?' or '<?php').

If you need to know, All CF tags start with '<cf' so stripping them out shouldn't be a problem using regex.

Change History (1)

The reason for ProtectedSource is that the browser can destroy anything that it doesn't understand, so that option can protect any element that the browser will try to parse and break.

But the editor shouldn't care about your security as that part must be done at the server. You can't trust anything that it's sent by a client because the user can easily inject any javascript and send back to you anything that they want.

Yes, it would be possible to remove that tags in the editor, but if it was done that way you wouln't have realized about this problem and an attacker could have injected anything in your server easily bypassing any protection placed in FCKeditor.